DNS, network security and the feared DDoS attack!
The purpose of the DNS – or the Domain Name System to give it its full title – is to turn the IP addresses that are required by network servers into domain names that are far easier for humans to use and remember. DNS is what allows you to use “Google.com” instead of having to type in or remember “http://188.8.131.52/”. You can consider DNS to be the main directory service of the Internet or the Internet’s phone book.
The Domain Name System (DNS) in Action
When you use a web browser to visit a website, the first thing that must happen is the web browser must contact your current DNS server. It must find out the IP address of the website you are trying to access by using its name. You may run your own DNS server or it can be run by your Internet Service Provider. If you use a router, your router may forward DNS requests to your ISP. A DNS request is not made every time you visit a website. Once a request has been made, your computer will cache the response and will remember the IP address for a limited period of time.
DNS is very useful, but it is also problematic as it can be attacked. A DNS DDoS attack can cause a great deal of damage.
Because DNS servers serve as a phone book, they must be available to anyone with Internet access. This means that hackers can access DNS servers. They can also attack them.
Viruses and malware can change your default DNS server and replace it with a malicious one which would direct a visitor to another site. For example, a copy of a site such as Twitter or a bank website could be located at a different IP address. A visitor would believe that they are on the legitimate site because that is what their browser address bar tells them. This may throw up a certificate error message, so it is important to pay attention to any invalid certificate messages. This is an indication that the site is not legitimate.
What are DNS DDoS attacks?
Distributed Denial of Service attack (DDoS) attacks are part of a hacker’s arsenal that is used often. DDoS attacks can cause a lot of damage. They can cause damage so severe that hardware may need to be replaced.
DDoS attacks on DNS servers will start with the hacker attempting to locate a DNS responder. Once the target’s DNS responder has been located, the hacker can launch a Distributed Denial of Service attack (DDoS). That DDoS attack can be conducted on the resolver, or it is possible to conduct an attack on other systems. In a DDoS attack, the target will receive millions of replies from numerous IP addresses around the world. Some of those will be real, some will be spoofed IP addresses.
Oftentimes, the purpose of a DDoS attack is to bring down a website and stop anyone from visiting a particular website. In a DDoS attack, traffic is sent from multiple sources and overwhelms a site. A denial-of-service attack is relatively easy to block as the IP addresses being used can be throttled. A distributed DoD attack is different, because the traffic comes from all over the world. In many cases, IP addresses are spoofed. An attacker would not want his or her real IP addresses to be shown.
DDoS attacks are conducted using a botnet, which is a network of zombie PCs that have been infected by a hacker. They are used to send traffic to the target. The botnet controls those machines, and the botnet is controlled by the attacker.
Hackers can conduct their DDoS attacks not with the aim of killing a site or web service, but to hide other activity. A DDoS attack requires an IT department’s immediate attention and resources. Staff must prevent software and hardware damage and try to keep the website available. While they fight the DDoS attack, other hackers in the group get to work on other parts of the network. This is why it is vital after suffering a DDoS attack to conduct a full system security check and audit the network. You must determine whether hackers have gained access to your network while you were fighting fires.
The Spamhaus DDoS Attack
A DDoS attack, especially one which sends enormous volumes of traffic, are usually short-lived. However, during the time that the attack takes place it can cause permanent damage. Sometimes extremely large attacks are conducted that can bring down even the best defended systems. Take Spamhaus for example. Unsurprisingly, this anti-spam service is something of a target, what with it being a 34-hour anti-spam operation. It servers billions of DNS requests, it has robust defenses, but it is not immune to attack.
In March 2013, Spamhaus suffered an enormous DNS DDoS attack. After receiving one DNS request from a spoofed IP address, a packet was sent and more servers started participating in the attack, then more. Then more. According to the Spamhaus report on the attack, 30,000 DNS resolvers took part.
It is possible to block certain IP addresses to counter an attack. When an attack involves so many different IP addresses, it is impossible to block them all. Because the range of IP addresses used was so large, it was not possible to throttle packets from specific IP addresses being used in the attack.
Is It Possible to Prevent a DNS Attack?
To prevent DNS attacks, you must be able to identify malicious web traffic. Traffic using port 53 for example is often just zone transfers syncing slave servers with masters, but the port can be used by attackers. It is therefore essential to block port 53 zone transfers from any unauthorized slave name server.
If you want to prevent a DNS attack it is important that you do not have an open responder that will respond to requests from any Internet address.
- stop your DNS from being an open responder. Restrict in-house recursive servers and only allow your own company’s IP subnets. It is essential to keep your resolver private
- You can use DNS response rate limiting when you configure your authoritative DNS servers. Set response rates and limit source addresses in a given time period. It may be possible to shut down an attack before the full force is felt by your server
- Throttle DNS traffic by packet type
- Monitor IP addresses to see which are using the most bandwidth. Your ISP can help you with this
- Add variability to outgoing requests. This will make it harder for an attacker to get a response accepted
- Overprovision your server – Make sure you have sufficient bandwidth to absorb an attack. Since some attacks can exceed over 100 Gbps this may not be possible in all cases, but not all attackers have that kind of capacity